On Thu, Jun 19, 2014 at 02:56:49PM +0200, mvadkert wrote:
> Hi everyone,
>
> I just came across a contradiction between the man page of AuthenticationMethods and the accepted
> methods list.
>
> According to the sshd_config manual page:
> """
> AuthenticationMethods
>
> Specifies the authentication methods that must be successfully completed for a user to be granted
> access. This option must be followed by one or more comma-separated lists of authentication method
> names. Successful authentication requires completion of every method in at least one of these lists.
> """"
>
> But in reality the also an empty list is accepted by sshd (servconf.c:1605).
>
> What is the reason to accept an empty method list? Does the man page need an update?
>
Hi,
I believe that this is a bug in the parsing code which doesn't handle empty list correctly. The following patch
fixes it.
--- a/servconf.c
+++ b/servconf.c
@@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line,
break;
case sAuthenticationMethods:
+ if (cp == NULL || *cp == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
if (*activep && options->num_auth_methods == 0) {
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_auth_methods >=
--
Petr Lautrbach
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
